Enhance infrastructure and application configurations
- Updated AGENTS.md to include new directories for execution plans and implemented feature reports. - Modified Ansible host variables for dev-02 and gpu-01 to change API endpoints and add new configurations for Scaleway. - Adjusted firewall rules in gpu-01 to allow HTTPS traffic instead of the previous Ollama port. - Added OAuth2 proxy configurations to gpu-01 for enhanced security. - Removed deprecated open-webui module from Terraform app configurations. - Updated Terraform configurations to reflect changes in local variables and removed unused secrets. - Created a new sectool.json file for CloudNS integration with Bitwarden. - Enhanced SELinux configurations for nginx to allow connections to any port and added oauth2-proxy port.
This commit is contained in:
@@ -10,6 +10,7 @@ llama_server_extra_groups: "users,video"
|
||||
llama_server_devices: []
|
||||
llama_server_env: {}
|
||||
llama_server_port: 11434
|
||||
llama_server_bind: "0.0.0.0"
|
||||
llama_server_preset_global: {}
|
||||
llama_server_host: "127.0.0.1"
|
||||
llama_server_argv_extra: []
|
||||
|
||||
@@ -135,7 +135,7 @@
|
||||
state: started
|
||||
device: "{{ llama_server_devices | default(omit) }}"
|
||||
env: "{{ llama_server_env | default(omit) }}"
|
||||
ports: "0.0.0.0:{{ llama_server_port }}:8080/tcp"
|
||||
ports: "{{ llama_server_bind }}:{{ llama_server_port }}:8080/tcp"
|
||||
volumes:
|
||||
- "{{ llama_server_home }}/models:/models:Z"
|
||||
- "{{ llama_server_home }}/.cache:/app/.cache:Z"
|
||||
|
||||
@@ -44,3 +44,18 @@
|
||||
become: true
|
||||
ansible.builtin.command: restorecon -Rv /etc/letsencrypt
|
||||
changed_when: false
|
||||
|
||||
- name: Set SELinux boolean to allow nginx to connect to any port
|
||||
become: true
|
||||
ansible.builtin.command: semanage boolean -m --on nginx_connect_any
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
when: ansible_selinux.status == "enabled"
|
||||
|
||||
- name: Add oauth2-proxy port to SELinux http_port_t
|
||||
become: true
|
||||
ansible.builtin.command: >-
|
||||
semanage port -a -t http_port_t -p tcp {{ nginx_proxy_oauth2_proxy_port }}
|
||||
failed_when: false
|
||||
changed_when: false
|
||||
when: ansible_selinux.status == "enabled"
|
||||
|
||||
@@ -22,6 +22,7 @@
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
remote_src: true
|
||||
|
||||
- name: Create oauth2-proxy config directory
|
||||
become: true
|
||||
|
||||
@@ -13,6 +13,7 @@ server {
|
||||
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
|
||||
|
||||
{% if not (item.no_auth | default(false) | bool) %}
|
||||
# Redirect unauthenticated requests to OAuth2 sign-in
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
|
||||
@@ -52,13 +53,16 @@ server {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
{% if not (item.no_auth | default(false) | bool) %}
|
||||
auth_request /oauth2/auth;
|
||||
auth_request_set $auth_status $upstream_status;
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
{% endif %}
|
||||
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
|
||||
|
||||
proxy_pass http://{{ item.upstream.host }}:{{ item.upstream.port }};
|
||||
|
||||
Reference in New Issue
Block a user